Re: ACL for system users?
OK, I found it. I changed the "DIR_MODE" directive in file
/etc/adduser.conf from 0755 to 02770 and "USERGROUPS" directive from
"yes" to "no". Now all new users belong to the same group and their home
directories have 2770 permissions, which Maildir inherits. Since their
shell is /usr/sbin/nologin this probably isn't a big security hole. I
can even unset "mail_access_groups".
I know this wasn't Dovecot-specific, but sometimes we Linux novices
thank a helping hand...
El 13/04/18 a les 08:31, Aki Tuomi ha escrit:
Dovecot will copy the mail root permissions when creating directories &
folders.
Aki
On 12.04.2018 22:45, Rubén Fernández Asensio wrote:
Hello all,
I'm setting up an IMAP server with dovecot. I've set up system users
with PAM authentication and Maildir maiboxes.
I'd like to share mailboxes among them, but regardless of what I try,
I bump into filesystem permissions.
I want to have Maildirs created for new users with the right
permissions. I even changed "UMASK" in file /etc/login.defs from 022
to 002, but the Maildirs are still created with 700 permissions:
ls -l /home/ximplet2/
total 4
drwx-- 9 ximplet2 users 4096 Apr 12 19:10 Maildir
Really there's no better way than running "chmod -R g=u
/home/ximplet2/Maildir" and "chmod g+s /home/ximplet2/Maildir" for
every user? Really??
I read that, before v.2, Dovecot had a "umask" option to do precisely
want I need, but it was removed.
How are we supposed to use ACL with system users nowadays?
Rubeno
P.S: my doveconf -n:
# 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
mail_access_groups = kundividantoj
mail_location = maildir:~/Maildir:LAYOUT=fs
mail_plugins = acl
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapsieve vnd.dovecot.imapsieve
namespace {
list = yes
location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/Komunujo/%%n
prefix = Komunujo/%%n/
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox Malnetujo {
auto = subscribe
comment = Mesaĝoj ne finitaj nek senditaj
special_use = \Drafts
}
mailbox Rubujo {
auto = subscribe
autoexpunge = 120 days
comment = Ĉi tien iras la forviŝitaj mesaĝoj
special_use = \Trash
}
mailbox Senditujo {
auto = subscribe
special_use = \Sent
}
mailbox Spamujo {
auto = create
autoexpunge = 30 days
comment = Mesaĝoj markitaj kiel ne deziritaj
special_use = \Junk
}
prefix =
subscriptions = yes
type = private
}
passdb {
driver = pam
}
plugin {
acl = vfile
acl_shared_dict = file:/var/lib/dovecot/kundividitaj/shared-mailboxes
imapsieve_mailbox1_before =
file:/etc/dovecot/sieve/imapsieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY FLAG
imapsieve_mailbox1_name = Spamujo
imapsieve_mailbox2_before =
file:/etc/dovecot/sieve/imapsieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spamujo
imapsieve_mailbox2_name = *
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/final
sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
sieve_pipe_bin_dir = /usr/bin
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = " imap lmtp sieve"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group =
mode = 0777
user =
}
}
ssl = required
ssl_cert =
Re: ACL for system users?
Dovecot will copy the mail root permissions when creating directories &
folders.
Aki
On 12.04.2018 22:45, Rubén Fernández Asensio wrote:
>
> Hello all,
>
> I'm setting up an IMAP server with dovecot. I've set up system users
> with PAM authentication and Maildir maiboxes.
>
> I'd like to share mailboxes among them, but regardless of what I try,
> I bump into filesystem permissions.
>
> I want to have Maildirs created for new users with the right
> permissions. I even changed "UMASK" in file /etc/login.defs from 022
> to 002, but the Maildirs are still created with 700 permissions:
>
> ls -l /home/ximplet2/
> total 4
> drwx-- 9 ximplet2 users 4096 Apr 12 19:10 Maildir
>
> Really there's no better way than running "chmod -R g=u
> /home/ximplet2/Maildir" and "chmod g+s /home/ximplet2/Maildir" for
> every user? Really??
>
> I read that, before v.2, Dovecot had a "umask" option to do precisely
> want I need, but it was removed.
>
> How are we supposed to use ACL with system users nowadays?
>
> Rubeno
>
> P.S: my doveconf -n:
>
> # 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.19 (e5c7051)
> # OS: Linux 4.4.0-119-generic x86_64 Ubuntu 16.04.4 LTS
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> mail_access_groups = kundividantoj
> mail_location = maildir:~/Maildir:LAYOUT=fs
> mail_plugins = acl
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapsieve vnd.dovecot.imapsieve
> namespace {
> list = yes
> location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/Komunujo/%%n
> prefix = Komunujo/%%n/
> subscriptions = no
> type = shared
> }
> namespace inbox {
> inbox = yes
> location =
> mailbox Malnetujo {
> auto = subscribe
> comment = Mesaĝoj ne finitaj nek senditaj
> special_use = \Drafts
> }
> mailbox Rubujo {
> auto = subscribe
> autoexpunge = 120 days
> comment = Ĉi tien iras la forviŝitaj mesaĝoj
> special_use = \Trash
> }
> mailbox Senditujo {
> auto = subscribe
> special_use = \Sent
> }
> mailbox Spamujo {
> auto = create
> autoexpunge = 30 days
> comment = Mesaĝoj markitaj kiel ne deziritaj
> special_use = \Junk
> }
> prefix =
> subscriptions = yes
> type = private
> }
> passdb {
> driver = pam
> }
> plugin {
> acl = vfile
> acl_shared_dict = file:/var/lib/dovecot/kundividitaj/shared-mailboxes
> imapsieve_mailbox1_before =
> file:/etc/dovecot/sieve/imapsieve/report-spam.sieve
> imapsieve_mailbox1_causes = COPY FLAG
> imapsieve_mailbox1_name = Spamujo
> imapsieve_mailbox2_before =
> file:/etc/dovecot/sieve/imapsieve/report-ham.sieve
> imapsieve_mailbox2_causes = COPY
> imapsieve_mailbox2_from = Spamujo
> imapsieve_mailbox2_name = *
> sieve = file:~/sieve;active=~/.dovecot.sieve
> sieve_after = /etc/dovecot/sieve/final
> sieve_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
> sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
> sieve_pipe_bin_dir = /usr/bin
> sieve_plugins = sieve_imapsieve sieve_extprograms
> }
> protocols = " imap lmtp sieve"
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> unix_listener auth-userdb {
> group =
> mode = 0777
> user =
> }
> }
> ssl = required
> ssl_cert = ssl_key = # hidden, use -P to show it
> userdb {
> driver = passwd
> }
> protocol lda {
> mail_plugins = acl sieve
> }
> protocol imap {
> mail_plugins = acl imap_acl imap_sieve
>
> }
>
